Merge branch 'PHP-7.1' into PHP-7.2

* PHP-7.1:
  Validate length on socket_write

5 files changed, 55 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 14447cb2a4..cb22af2c77 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ PHP                                                                        NEWS
   . Fixed bug #76348 (WSDL_CACHE_MEMORY causes Segmentation fault). (cmb)
   . Fixed bug #77141 (Signedness issue in SOAP when precision=-1). (cmb)
 
+- Sockets:
+  . Fixed bug #67619 (Validate length on socket_write). (thiagooak)
+
 08 Nov 2018, PHP 7.2.12
 
 - Core:
diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
index efa66f471a..fae7e53382 100644
--- a/ext/sockets/sockets.c
+++ b/ext/sockets/sockets.c
@@ -1175,6 +1175,11 @@ PHP_FUNCTION(socket_write)
 		return;
 	}
 
+	if (length < 0) {
+		php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+		RETURN_FALSE;
+	}
+
 	if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
 		RETURN_FALSE;
 	}
@@ -1717,6 +1722,11 @@ PHP_FUNCTION(socket_send)
 		return;
 	}
 
+	if (len < 0) {
+		php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+		RETURN_FALSE;
+	}
+
 	if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
 		RETURN_FALSE;
 	}
@@ -1879,6 +1889,11 @@ PHP_FUNCTION(socket_sendto)
 		return;
 	}
 
+	if (len < 0) {
+		php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+		RETURN_FALSE;
+	}
+
 	if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
 		RETURN_FALSE;
 	}
diff --git a/ext/sockets/tests/socket_send_params.phpt b/ext/sockets/tests/socket_send_params.phpt
new file mode 100644
index 0000000000..44be133bf9
--- /dev/null
+++ b/ext/sockets/tests/socket_send_params.phpt
@@ -0,0 +1,17 @@
+--TEST--
+ext/sockets - socket_send - test with incorrect parameters
+--SKIPIF--
+<?php
+    if (!extension_loaded('sockets')) {
+        die('skip sockets extension not available.');
+    }
+?>
+--FILE--
+<?php
+    $rand = rand(1,999);
+    $s_c = socket_create_listen(31330+$rand);
+    $s_w = socket_send($s_c, "foo", -1, MSG_OOB);
+    socket_close($s_c);
+?>
+--EXPECTF--
+Warning: socket_send(): Length cannot be negative in %s on line %i
diff --git a/ext/sockets/tests/socket_sendto_params.phpt b/ext/sockets/tests/socket_sendto_params.phpt
new file mode 100644
index 0000000000..f232258ec0
--- /dev/null
+++ b/ext/sockets/tests/socket_sendto_params.phpt
@@ -0,0 +1,17 @@
+--TEST--
+ext/sockets - socket_sendto - test with incorrect parameters
+--SKIPIF--
+<?php
+    if (!extension_loaded('sockets')) {
+        die('skip sockets extension not available.');
+    }
+?>
+--FILE--
+<?php
+    $rand = rand(1,999);
+    $s_c = socket_create_listen(31330+$rand);
+    $s_w = socket_sendto($s_c, "foo", -1, MSG_OOB, '127.0.0.1');
+    socket_close($s_c);
+?>
+--EXPECTF--
+Warning: socket_sendto(): Length cannot be negative in %s on line %i
diff --git a/ext/sockets/tests/socket_write_params.phpt b/ext/sockets/tests/socket_write_params.phpt
index 5d0f113ca0..0ebd69192a 100644
--- a/ext/sockets/tests/socket_write_params.phpt
+++ b/ext/sockets/tests/socket_write_params.phpt
@@ -17,6 +17,7 @@ fa@php.net
     $s_c = socket_create_listen(31330+$rand);
     $s_w = socket_write($s_c);
     $s_w = socket_write($s_c, "foo");
+    $s_w = socket_write($s_c, "foo", -1);
     socket_close($s_c);
 ?>
 --EXPECTF--
@@ -25,3 +26,5 @@ Warning: socket_write() expects at least 2 parameters, 0 given in %s on line %i
 Warning: socket_write() expects at least 2 parameters, 1 given in %s on line %i
 
 Warning: socket_write(): unable to write to socket [%i]: %a in %s on line %i
+
+Warning: socket_write(): Length cannot be negative in %s on line %i